Or the operator just didn't follow procedure and plugged it in. Work in an ICS environment for one week, and you'll see the probability of this happening is close to 100%. Most of these folks don't even know what a cyber attack even is, or even how it could happen let alone how to stop it. It's science fiction to them, they don't care because it's FICTION. As a friend in the industry one said once: the typical operator is a monkey: press the button get a banana. Horribly offensive, I admit, but I've unfortunately seen it myself. The human factor, that wonderful human factor will get you every, single time. Remember, these are people that have never even heard of a cyber attack except maybe in a movie or TV show, and even then they probably thought it was nonsense. They not only don't care, they don't even know they should care. It's all magic to them. The world is flat, and it makes sense because it's LOOKS flat.

All the USB ports should be sealed with epoxy...

And all the guys you want to deter to plug in a usb-stick are much more skilled with tools, metalwork, electrical connections than you are...

Better disable the usbstor service so that the USB ports are still working, only they don't make usb storage devices appear as disk drives :-).

(also some software might require a license-dongle to be plugged in)

You could also clip the connections at the motherboard but I am guessing most of them would be too lazy to bring in a new port to solder up.

So, often people will image a computer (e.g. to a 2nd harddisk or DVD) after changes had been made. So returning after one year you'll find that the hardware had failed for whatever reason and the image put back on another PC. So, restricting access in Software is more viable, in my oppinion.