When a power system undergoes coordinated cyberattacks, the cascading events could result in a blackout. It is a complex process to restore the system after a cyberattack since both cyber and physical systems need to be restored. Traditionally power system restoration is focused on recovery of the physical power system. To extend the restoration methodology to a power grid as a cyber-physical system, this paper is concerned with the restoration of the cyber system based on detection and isolation of the attacked device and recovery of the functions through collaboration among multiple devices. To this end, at the first stage, the substation automation system (SAS) recovers independently of any untrusted remote control. This paper proposes a new strategy for cyber recovery at an IEC 61850 based SAS following a cyberattack. The compromised components are isolated at the substation Local Area Network (LAN) by dynamic network reconfiguration, which is implemented with the centralized controller of Software Defined Network (SDN). Furthermore, the proposed collaborative Intelligent Electronic Devices (IEDs) are deployed to recover the main functions of the compromised device. A cyber-power system testbed with the SDN controller and commercial grade IEC 61850 code has been developed for implementation and validation of the proposed strategy.