Existing satellite network security solutions are largely confined to point-to-point encryption on individual satellites, struggling to address challenges posed by dynamic constellation topologies, resource constraints, and potential security function failures. This work pioneers a constellation-level security perspective by introducing a hybrid security architecture that integrates end-to-end encryption with Moving Target Defense (MTD). The proposed framework incorporates a dual-mode management mechanism, security-aware routers, and a shared cryptographic module pool, enabling redundant sharing and adaptive switching of security functions. Designed to comply with both DVB and CCSDS standards, the architecture significantly enhances the resilience, reliability, and sustained secure operation of satellite constellations under resource limitations or partial security component failures.

Satellite constellations equipped with Inter-Satellite Links and onboard packet switching enable real-time Operation and Management across globally distributed satellites, but also broaden the attack surface and introduce unprecedented cybersecurity threats. Existing efforts mainly focus on cryptography for single-satellite point-to-point links, without considering constellation-level security. To address this gap, this article extends security research in two directions: from individual satellites to constellation-wide architectures, and from isolated cryptography to system-level security incorporating efficiency, resilience, and reliability. These extensions raise three key questions: how to design efficient security mechanisms for dynamic constellation topologies with adaptive onboard routing; how a constellation O&M system can recover resiliently under worst-case failures of onboard security functions; and how to improve the reliability of onboard security functions under stringent resource constraints. To address these challenges, we first construct a constellation-wide hybrid security framework that protects semantically sensitive content fields using End-to-End encryption, while safeguarding routing-related fields through Moving Target Defense. Next, we introduce a ciphered-mode and safe-mode management mechanism with an M-delayed fallback that balances recovery timeliness and exploitability. Finally, we propose security-aware routers that manage plaintext/ciphered modes and coordinate access to a shared pool of onboard cipher modules, enabling redundancy sharing across multiple endpoints and extending secure operation duration in ciphered mode. These solutions comply with existing standards defined by organizations including DVB and the CCSDS, while translating conceptual security principles into practical system-level mechanisms.