Connected and autonomous vehicles (CAVs) can fulfill the emerging demand for smart transportation on a global scale. Such innovations for transportation can bring manyfold benefits, from fully autonomous driving services to proactive vehicle monitoring and traffic management. However, given the complexity involved in the deployment of CAVs, zero-tolerance safety, and security measures must be incorporated to avert vehicle immobilization, road accidents, disclosure of sensitive data, or any potential threats. In this article, we conceive a reference architecture for a CAVs ecosystem to derive a common attack taxonomy for the investigation of existing and emerging cyber threats. Subsequently, we discuss security mechanisms for the CAVs ecosystem that can be useful for the safe and secure transportation of passengers from one destination to another based on comprehensive studies of academic literature and industry white papers. Our work can provide valuable insights to security engineers and system architects for investigating security problems using a top-to-bottom approach and can aid in envisioning robust security solutions to ensure seamless CAVs operations.