A power system is a complex cyber-physical system whose security is critical to its function. A major challenge is to model, analyse and visualise the communication backbone of the power systems concerning cyber threats. To achieve this, the design and evaluation of a cyber-physical power system (CPPS) testbed called Resilient Energy Systems Lab (RESLab) are presented to capture realistic cyber, physical, and protection system features. RESLab is architected to be a fundamental platform for studying and improving the resilience of complex CPPS to cyber threats. The cyber network is emulated using Common Open Research Emulator (CORE), which acts as a gateway for the physical and protection devices to communicate. The physical grid is simulated in the dynamic time frame using Power World Dynamic Studio (PWDS). The protection components are modelled with both PWDS and physical devices including the SEL Real-Time Automation Controller (RTAC). Distributed Network Protocol 3 (DNP3) is used to monitor and control the grid. Then, the design is exemplified and the tools are validated. This work presents four case studies on cyberattack and defence using RESLab, where we demonstrate false data and command injection using Man-in-the-Middle and Denial of Service attacks and validate them on a large-scale synthetic electric grid.This is an open access article under the terms of the Creative Commons Attribution License, which permits use, distribution and reproduction in any medium, provided the original work is properly cited.