While it shouldn't be possible for anyone on the outside to access the server directly (as long as you don't forward any ports on the router), you'll be vulnerable to something like Cross-site request forgery. For example, if someone sent you an email message in HTML format (or get you to load a web page, or...), with an inline image loaded from http://192.168.1.50/control?outlet=all&action=off
(or whatever its IP address and syntax are), your mail client will try to load an image from that URL, and your outlets will turn off (or whatever).
So, if you have any sufficiently geeky friends who know your network setup, expect to get pranked. Actually, you should also expect random XSRF hits trying to exploit random other devices you may or may not actually have; if the controller's web server gets confused by any of these, they may break it accidentally.
[Update] Securing this better will depend a lot on what crypto capabilities the web server has -- I didn't see much info in a quick search, so I'm not sure what it can do. The simplest thing to do is add a password variable to the request. This isn't particularly secure, since it'll be visible on the wire, stored in history on the client and logged on the server, etc, but it's better than nothing (and better than using weird syntax, since it's easy to change). Do not use the same password you use for anything else.
Switching from GET to POST would also help a bit, especially since the HTTP standard says that GET requests aren't supposed to change the state of the server -- that is, it's supposed to be safe for clients to send/not sent GET requests depending on e.g. the state of their caches. Using HTTPS would help even more (if the server supports it). Using WebDAV digest authentication (instead of a password string) would also be good (again, if the server supports it), but you'd need to add some sort of protection against replay attacks for it to be really effective.