Abstract: Virtual power plants (VPPs), as an emerging type of power system, significantly improve the grid's resource aggregation capability. However, when integrating and dispatching numerous energy resources, VPPs still face challenges including expanded attack surfaces, increased vulnerabilities, and severe failure consequences. This paper first clarifies VPPs' definition and structure, analyzes security requirements concerning operational vulnerabilities, and proposes corresponding security metrics. It then examines the evolution and development trends of cybersecurity in power systems, summarizes existing security hardening methods and practices, and identifies VPP-specific potential security threats. Building on this foundation, a five-dimensional security defense system is proposed, addressing VPPs' device, access, communication, data, and operational aspects. Specific security measures applicable to VPPs are analyzed. Finally, the application prospects of three emerging security technologies i.e. zero trust, situational awareness, and blockchain in virtual power plants are explored.