So yeah, this is really, really bad.
 This is well-established infosec fact. It's not controversial. Latest case I know of was at JPL a few weeks ago.
The better ones have awareness of their network and have systems monitoring their networks, etc. There are afterall the equivalents of Qualys in the IA world.
How do you plug in a mouse or keyboard?