This work addresses a critical gap in existing substation automation security standards—such as IEC 61850 and IEC 62351—which lack support for attribute-based access control (ABAC) in time-critical scenarios and are thus vulnerable to emerging cyber threats. To overcome this limitation, the paper proposes a real-time server-assisted ABAC mechanism that, for the first time, integrates dynamic temporal attributes and time-varying policies into the ABAC framework. The solution employs a bump-in-the-wire architecture to seamlessly enhance the security of GOOSE and Sampled Value (SV) protocol communications, ensuring compatibility with both new and legacy systems. Experimental results demonstrate that 99.82% of packet round-trip delays remain below 6 milliseconds, achieving ultra-low latency while significantly strengthening the system’s cybersecurity posture.

Critical energy infrastructures increasingly rely on information and communication technology for monitoring and control, which leads to new challenges with regard to cybersecurity. Recent advancements in this domain, including attribute-based access control (ABAC), have not been sufficiently addressed by established standards such as IEC 61850 and IEC 62351. To address this issue, we propose a novel real-time server-aided attribute-based authorization and access control for time-critical applications called RTS-ABAC. We tailor RTS-ABAC to the strict timing constraints inherent to the protocols employed in substation automation systems (SAS). We extend the concept of conventional ABAC by introducing real-time attributes and time-dependent policy evaluation and enforcement. To safeguard the authenticity, integrity, and non-repudiation of SAS communication and protect an SAS against domain-typical adversarial attacks, RTS-ABAC employs mandatory authentication, authorization, and access control for any type of SAS communication using a bump-in-the-wire (BITW) approach. To evaluate RTS-ABAC, we conduct a testbed-based performance analysis and a laboratory-based demonstration of applicability. We demonstrate the applicability using intelligent electronic devices, merging units, and I/O boxes communicating via the GOOSE and SV protocol. The results show that RTS-ABAC is able to secure low-latency communication between SAS devices, as up to 99.82 % of exchanged packets achieve a round-trip time below 6 ms. Moreover, the results of the evaluation indicate that RTS-ABAC is a viable solution to enhance the cybersecurity not only in a newly constructed SAS but also via retrofitting of existing substations.