In 2011, the US Department of Homeland Security US-CERT
(United States Computer Emergency Readiness Team) conducted an experiment
on security staff. ‘How easily hackers can access the system through employees’.
The experiment was to drop a USB drive into the parking lot of the security
department and see if the employees were using it on the in-house PC.
What was the result?
About 60% of them used a USB drive which fell to the ground, and 90% used
a USB drive or CD with official logo of DHS. I forgot all the risks that there
might be malware in the USB and used it on my PC.
The biggest security vulnerability is the employee’s “idiocy”.

Two US power plants infected
with malware spread via USB drive
Two US power plant networks were infected with malware that was spread by a USB drive plugged in by a subcontractor, who wanted to check on production facilities.
The malware affected 10 PCs in the turbine management system and system downtime, which caused a 3-week delay in system restart.
Supervisory Control and Data Acquisition (SCADA) or Industrial Control System (ICS), that is, industrial control systems are especially vulnerable to immediate threats of machine interruption or remote attack. Malware infection path was a USB port this time, but all other data ports were equally vulnerable.
See articles >

Under worm assault, military
bans disks, USB drives
An example of a cyber attack designed to destroy nuclear centrifuges is the Stuxnet worm attack, which infected the Supervisory Control and Data Acquisition (SCADA) system at Iran’s Bushehr nuclear power plant. Through a USB drive, malicious codes spread throughout the internal network, infecting more than 60,000 PCs and halting the plant’s operation for two years.
Many companies, including power plants, the military and others, have already taken measures to prohibit the use of removable data storage devices such as DISK and CDs for increased cyber security.