An American power plant was disabled by malicious software carried into its control systems on USB sticks - and was left shut down for three weeks.
Another plant found a similar malware infection in computers which controlled turbine systems.
Industrial control systems are usually disconnected from the internet for safety reasons - but 'crimeware' carried on USB sticks was found in control systems in the two plants late last year.
The cases were reported by the U.S. Department of Homeland Security's Cyber Emergency Response Team - which also predicted a rise in such infections.
Malicious software can in theory be used to 'remote control' industrial systems - or even cause physical damage by making systems operate wrongly.
Concerns have been raised over the safety of industrial control systems after the discovery of a worm, Stuxnet, in 2010, which appeared to have been built to cause damage to Iran's Busehr nuclear plant.
In the first case, according to the Cyber Emergency Response team, "a handful of machines had likely had contact with the tainted USB drive."
"The team discovered signs of the sophisticated malware on two engineering workstations, both critical to the operation of the control environment."
The second infection was carried into a plant by a technician and infected turbine control systems.
It's not clear what particular malware packages infected the machines.
The Stuxnet worm raised concerns over the vulnerability of industrial systems when it was discovered in computers at Iran's Busehr plant in 2010.
Stuxnet was designed to make centrifuges at the plant spin out of control, damaging them beyond repair - it was built specifically to spread to industrial computer systems, carried on USB sticks or infected laptops.
Other tests showed that attacks on similar ‘programmable logic controllers’ - simple computer systems used to control industrial systems - could cause damage in the real world.
In November 2011, security researchers in America showed that some computer controlled cell doors in prisons could be opened remotely via the internet.
Earlier tests in 2007 proved that hackers could overwhelm a diesel generator, causing it to self destruct.
At the time, the U.S. government described such cyber attacks as ‘a new kind of weapon’.