IEC 61850 Sampled Values (SV) and Generic Object Oriented Substation Event (GOOSE) protocols face growing real-world cyber-attack threats in substation automation, yet existing testbeds lack protocol-aware attack injection and precise temporal observability. Method: This paper designs and implements the first closed-loop Cyber-Physical System (CPS) security testbed enabling protocol-level attack injection and millisecond-accurate timing capture. It integrates IEC 61850 protocol stack emulation, FPGA-based hardware-in-the-loop (HIL), real-time Linux time synchronization, and dynamic network traffic injection with behavioral analysis. Contribution/Results: The platform enables the first systematic modeling of SV/GOOSE protocol-layer attacks and real-time, quantitative evaluation of system response dynamics. It successfully reproduces multiple protocol-specific attacks and captures sub-millisecond-resolution timing traces from actual devices. Experimental validation demonstrates detection latency ≤3 ms and mitigation initiation ≤15 ms, significantly enhancing the testability, verifiability, and timeliness of substation cybersecurity defenses.

A Cyber-Physical System (CPS) testbed serves as a powerful platform for testing and validating cyber intrusion detection and mitigation strategies in substations. This study presents the design and development of a CPS testbed that can effectively assess the real-time dynamics of a substation. Cyber attacks exploiting IEC 61850-based SV and GOOSE protocols are demonstrated using the testbed, along with an analysis on attack detection. Realistic timing measurements are obtained, and the time frames for deploying detection and mitigation strategies are evaluated.