The new wave of device-level cyber-attacks has targeted IoT critical applications, such as in power distribution systems integrated with the Internet communications infrastructure. These systems utilise Group Domain of Interpretation (GDOI) as designated by International Electrotechnical Commission (IEC) power utility standards IEC 61850 and IEC 62351. However, GDOI cannot protect against novel threats, such as IoT device-level attacks that can modify device firmware and configuration files to create command and control malicious communication. As a consequence, the attacks can compromise substations with potentially catastrophic consequences. With this in mind, this article proposes a permissioned/private blockchain-based authentication framework that provides a solution to current security threats such as the IoT device-level attacks. Our work improves the GDOI protocol applied in critical IoT applications by achieving decentralized and distributed device authentication. The security of our proposal is demonstrated against against known attacks as well as through formal mechanisms via the joint use of the AVISPA and SPAN tools. The proposed approach adds negligible authentication latency, thus ensuring appropriate scalability as the number of nodes increases.