We propose a decentralized security framework for smart grids that supports data aggregation and access control. Data can be aggregated by home area network (HAN), building area network (BAN), and neighboring area network (NAN) in such a way that the privacy of customers is protected. We use homomorphic encryption technique to achieve this. The consumer data that is collected is sent to the substations where it is monitored by remote terminal units (RTU). The proposed access control mechanism uses attribute-based encryption (ABE) which gives selective access to consumer data stored in data repositories and used by different smart grid users. RTUs and users have attributes and cryptographic keys distributed by several key distribution centers (KDC). RTUs send data encrypted under a set of attributes. Since RTUs are maintained in the substations they are well protected in control rooms and are assumed to be trusted. Users can decrypt information provided they have valid attributes. The access control scheme is distributed in nature and does not rely on a single KDC to distribute the keys which makes the approach robust. To the best of our knowledge, ours is the first work on smart grids, which integrates these two important security components (privacy preserving data aggregation and access control) and the first paper which addresses access control in smart grids.