Security of cyber-physical systems (CPS) is a challenge for increasingly integrated systems today. To analyze and design detection and defense mechanisms for CPSs requires new system frameworks. In this paper, we establish a zero-sum hybrid stochastic game model, that can be used for designing defense policies for cyber-physical systems against attackers of different types. The hybrid game model contains physical states described by the system dynamics, and a cyber state that represents the detection mode of the system. A system selects a subsystem by combining one controller, one estimator and one detector among a finite set of candidate components at each state. In order to provide scalable and real-time computation of the switching strategies, we propose a moving-horizon approach to solve the zero-sum hybrid stochastic game, and obtain a saddle-point equilibrium policy for balancing the system's security overhead and control cost. This approach leads to a real-time algorithm that yields a sequence of Nash equilibrium strategies which can be shown to converge. The paper illustrates these concepts using numerical examples, and we compare the results with previously known designs.