The trustworthiness and security of cyber-physical systems (CPSs), such as the power grid, are of paramount importance to ensure their safe operation, performance, and economic efficiency. The aim of many cyber-physical security techniques, such as network intrusion detection systems (NIDSs) for CPSs, is to ensure continuous reliable operation even in exposed network environments. But the validation of such methods goes well beyond standard network analysis, since meaningful tests must also integrate realistic understanding of the physical systems behavior and response to the network activity. Our goal in this paper is to showcase an example of a testbed environment that can support such validation. In it, real network traffic, emulating and industrial control network, interacts with simulated physical models in real-time, extending and leveraging "hardware-inthe-loop" and "cyber-in-the-loop" capabilities. The testbed is a bridge between theory and practice and offers a number of features, including network communications, data management, as well as the virtualization of cyber-physical state analytics performed by the NIDS. The traffic is captured by real network taps and is forwarded to a real data management environment, receiving also the data reports from the simulated industrial control environment. To illustrate the capabilities of our testbed we show how the data are cross-checked by a "physics aware" NIDS, identifying network traffic that does not comply with its cyber-physical security rules.