Industrial control systems (ICSs) are extensively utilized worldwide to control and regulate various processes in energy utilities. It consists of various field devices, control and monitoring devices and communication devices. This paper focuses on the testing and analysis of various attack vectors that could potentially occur in a hardware-in-loop (HIL) Industrial Control System (ICS) testbed designed for a 500 MW thermal power plant. In this testbed, four typical process scenarios have been identified that can be manipulated through cyber-attacks, leading to severe issues such as plant shutdown or even explosions. The four significant plant scenarios recognized include minimal coal mill levels and increased temperatures in the classifier, heightened primary airflow to the coal mill, the tripping of an ID fan, and adjustment of the Super-heater temperature to its lowest setting. Also, we utilize the STRIDE threat modeling methodology to accurately represents the elements of Cyber-Physical Systems (CPS), their inter-dependencies, and the potential attack entry points and system vulnerabilities.