"Malicious USB devices"
Sorry, but I am less worried about that than I am worried about state-backed miscreants infiltrating and wreaking havoc from afar.
The rule is always the same anyway : once local access is possible, all bets are off and the system can easily be compromised. A malicious USB means some traitor has decided to usurp his position and authority in order to do evil. There are safeguards against that, but the best safeguard is treating your personnel properly and paying them fairly. If they work in a serious branch of industry, they should know the importance of their position and that should be sufficient.