Abstract: The interaction between the power private network and the public Internet can deeply tap the flexibility potential of the virtual power plants. However, when providing flexibility services, the virtual power plant is vulnerable to cyber attacks on the public network side, resulting in a lack of flexibility, which affects the operation safety of the new power system. Aiming at the scenario of virtual power plants suffering from coordinated cyber attacks, first, according to the operation mechanism and communication network architecture of virtual power plants, the potential ways of cyber attacks on the public Internet side are given. Secondly, a mixed logical dynamical model of electric vehicles is established to deduce its flexibility regulation capacity in the subsequent time sections. Then, the event-driven models of two typical cyber attacks, i.e. false data injection and denial of service, are established. Based on this, the dynamic deduction method of power grid security state based on even-driven hybird flow model is obtained. Finally, the modified IEEE 30-bus system is simulated, and the results show that the proposed method can depict the cross-space propagation paths of coordinated cyber attacks and quantify the harm of coordinated cyber attacks to power grids, which lay a foundation for grid operators to carry out dynamic risk assessment and cyber security protection.